Авторизация kibana через nginx + openldap

Как организовать авторизацию без xpack, конечно не такую крутую но всё же. Сделаем это через openldap. и nginx.
Соберем докер с nginx(1.13.10) и ldap плагином from alphine – вес 74 мега!!!

FROM alpine:3.7 ##MAINTAINER LABEL maintainer=”Human <007@itc-life.ru" ENV COMPILE_DIR /build/ ENV NB_PROC 4 #$BUILD OPTS ENV NGINX_VERSION 1.13.10 ENV VERSION_PCRE pcre-8.41 ENV VERSION_LIBRESSL libressl-2.6.4 ENV VERSION_NGINX nginx-$NGINX_VERSION ENV SOURCE_LIBRESSL http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ ENV SOURCE_PCRE https://ftp.pcre.org/pub/pcre/ ENV SOURCE_NGINX http://nginx.org/download/ ENV STATICLIBSSL $COMPILE_DIR/$VERSION_LIBRESSL #CONFIGURE BUILD NGINX ENV CONFIG \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx \ --group=nginx \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ --with-http_auth_request_module \ --with-http_xslt_module \ --with-http_image_filter_module \ --with-http_geoip_module \ --with-threads \ --with-stream \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-stream_realip_module \ --with-stream_geoip_module \ --with-http_slice_module \ --with-mail \ --with-mail_ssl_module \ --with-compat \ --with-file-aio \ --with-http_v2_module \ --with-openssl=$STATICLIBSSL \ --add-module=$COMPILE_DIR/ngx_http_substitutions_filter_module \ --add-module=$COMPILE_DIR/ngx_cache_purge \ --add-module=$COMPILE_DIR/lua-nginx-module \ --add-module=$COMPILE_DIR/nginx-auth-ldap \ --add-module=$COMPILE_DIR/nginx-module-vts RUN addgroup -S www-data \ && adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G www-data www-data \ && apk add --no-cache --virtual .build-deps \ gcc \ libc-dev \ make \ pcre-dev \ zlib-dev \ git \ unzip \ wget \ linux-headers \ curl \ openldap-backend-all \ libldap \ openldap-dev \ gnupg \ libxslt-dev \ gd-dev \ geoip-dev \ && mkdir -p $COMPILE_DIR \ && git clone git://github.com/vozlt/nginx-module-vts.git $COMPILE_DIR/nginx-module-vts \ && wget -P $COMPILE_DIR https://github.com/hnlq715/nginx-vts-exporter/releases/download/v0.8.3/nginx-vts-exporter-0.8.3.linux-amd64.tar.gz \ && cd $COMPILE_DIR && tar xzf nginx-vts-exporter-0.8.3.linux-amd64.tar.gz \ && mv $COMPILE_DIR/nginx-vts-exporter-0.8.3.linux-amd64/nginx-vts-exporter /bin/ \ && wget -P $COMPILE_DIR $SOURCE_NGINX$VERSION_NGINX.tar.gz \ && wget -P $COMPILE_DIR $SOURCE_PCRE$VERSION_PCRE.tar.gz \ && wget -P $COMPILE_DIR $SOURCE_LIBRESSL$VERSION_LIBRESSL.tar.gz \ && wget -P $COMPILE_DIR https://github.com/3078825/nginx-image/archive/master.zip \ && wget -P $COMPILE_DIR https://luajit.org/download/LuaJIT-2.0.4.zip \ && git clone https://github.com/FRiCKLE/ngx_cache_purge.git $COMPILE_DIR/ngx_cache_purge \ && git clone https://github.com/openresty/lua-nginx-module.git $COMPILE_DIR/lua-nginx-module \ && git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git $COMPILE_DIR/ngx_http_substitutions_filter_module \ && git clone https://github.com/kvspb/nginx-auth-ldap.git $COMPILE_DIR/nginx-auth-ldap \ && cd $COMPILE_DIR && tar xzf $VERSION_NGINX.tar.gz \ && cd $COMPILE_DIR && tar xzf $VERSION_LIBRESSL.tar.gz \ && cd $COMPILE_DIR && tar xzf $VERSION_PCRE.tar.gz \ && cd $COMPILE_DIR && unzip master.zip \ && cd $COMPILE_DIR && unzip LuaJIT-2.0.4.zip \ && cd $STATICLIBSSL && ./configure LDFLAGS=-lrt --prefix=${STATICLIBSSL}/.openssl/ && make install-strip -j $NB_PROC \ && cd $COMPILE_DIR/LuaJIT-2.0.4 && make && make install \ && cd $COMPILE_DIR/$VERSION_NGINX && ./configure $CONFIG --with-debug \ && make -j$(getconf _NPROCESSORS_ONLN) \ && chmod 777 -R $COMPILE_DIR/$VERSION_NGINX && cd $COMPILE_DIR/$VERSION_NGINX && find $COMPILE_DIR -iname LuaJIT-2.0.4.zip \ && cd $COMPILE_DIR/$VERSION_NGINX \ && ./configure $CONFIG \ && make -j$(getconf _NPROCESSORS_ONLN) \ && make install \ && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \ && rm -rf $COMPILE_DIR \ \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can # be deleted completely, then move `envsubst` back. && apk add --no-cache --virtual .gettext gettext \ && mv /usr/bin/envsubst /tmp/ \ \ && runDeps="$( \ scanelf --needed --nobanner --format '%n#p' /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \ | tr ',' '\n' \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )" \ && apk add --no-cache --virtual .nginx-rundeps $runDeps \ && apk del .build-deps \ && apk del .gettext \ && mv /tmp/envsubst /usr/local/bin/ \ \ # Bring in tzdata so users could set the timezones through the environment # variables && apk add --no-cache tzdata \ \ # forward request and error logs to docker log collector && touch /var/log/nginx/access.log && touch /var/log/nginx/error.log && ln -sf /dev/stdout /var/log/nginx/access.log EXPOSE 80 STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"]

Собираем.
Теперь подготавливаем конфиг для nginx

##add_open_ldap_server
ldap_server $open_ldap_server {
    url "ldap://IP_ADDRESS_LDAP:389/DC=itc-life,DC=ru?uid?sub?(objectClass=top)";
    binddn "CN=admin,DC=itc-life,DC=ru";
    binddn_passwd ПАРОЛЬ_LDAP;
    group_attribute "main";
    group_attribute_is_dn on;
    require valid_user;
    max_down_retries 300;
}
upstream kibana {
server                   IP_KIBANA:5601;
}
server {
  listen 80;
  server_name
  kibana.itc-life.ru
  ;
  root                      /dev/null;
  access_log off;
    location / {
    return              301 https://$server_name$request_uri;
    }
}
server {
  listen                    443   ssl http2;
  server_name               kibana.itc-life.ru;
  set $open_ldap_server itc_life_ldap1;
  include ssl.d/itc-life.ru/ssl.conf;
  access_log off;
  auth_ldap "Forbidden";
  auth_ldap_servers $open_ldap_server;
  location / {
    proxy_pass http://kibana;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

Конфиг с ssl.conf – как получить wildcard от let’s encrypt – тут

    ssl_stapling on;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/itc-life.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/itc-life.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/itc-life.ru/fullchain.pem;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:2m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000;";

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.